In 2 months since 4.4 Clifford’s release in December 2015, WordPress has released 2 major security updates, the second one a few hours ago (at the time of writing). This post lists those fixes and why you should update to 4.4.2 immediately (if you haven’t already).
Two major security issues and 19 bugs (from versions 4.4 and 4.4.1) have been fixed in this release.
1. SSRF vulnerability fix: Server Side Request Forgery (SSRF) vulnerability lets an attacker access the local server that your WordPress is installed on.
2. Open redirection attack: Open redirection lets an attacker send a visitor to a WordPress site through a URL that contains a parameter which automatically redirects them to a different website. This is used in phishing attacks.
There are some non-security related bugs which have also been fixed in this release, the full list of 4.4.2 bug fixes can be found here.
Why you should update immediately:
Now that the vulnerabilities are out in the open, even previously unaware attackers know of these vulnerabilities in WordPress, and they apply to every version before 4.4.2. A parameter in your website’s URL could currently be taking your visitors to a site of hacker’s choice.
Don’t leave things to chance and update as soon as possible.
Vulnerabilities were reported by:
1. Ronni Skansing (A Danish coder)
2. Shailesh Suther (Independent Security Researcher)
WordFence (a popular WordPress security solution) also claims that Matt Barry of their team deserves credit for reporting the SSRF vulnerability back in 2015, although this remains unconfirmed by WordPress Security and Maintenance Release Page.